Hi there,
when looking through traffic analysis, I can more or less easily identify IP addresses that exhibit bad behavior (like massive port/address scanning, attempting to log into joomla/wp administration URLs, POP3/SMTP account scanning, etc) which need to be blocked. Now, since most of these IPs are not the actual culprits, but merely infected machines, it would be helpful for the internet health as a whole to report such incidents to their respective ISPs. Here's where the problem starts:) My manual approach would be to lookup whois data for the respective IP (which by itself can be a multi step process, since you first need to find the right registry), and look for an abuse-contact there. But, whois isn't exactly engineered for automated mass lookups (+), and if I did this I'm sure I'd probably be violating terms of use of at least some of the registry whois servers, and be locked out. So, what alternatives are there? I saw that abuse.net keeps a nice DNS based lookup service for domain names, but they unfortunately don't do this for IP addresses. How are others doing this? I know I occasionally received output of fail2ban scripts when working for a larger ISP. Are these all in-house local developments?
Cheers, Markus
(+) joomla/wp scans alone yielded > 3000 ip addresses in one day for our little network...